Skip to main content
Complete Olympic Games coverage at your fingertips
Your inside track on the Olympic Games
Enjoy unlimited digital access
$1.99
per week for 24 weeks
Complete Olympic Games coverage at your fingertips
Your inside track onthe Olympics Games
$1.99
per week
for 24 weeks
// //

Chris Chezepock is belatedly scrambling to inform his financial institutions and others about the possible vulnerability of his online credentials.

Tijana Martin/The Globe and Mail

Chris Chezepock thought he was making a simple call to unlock his online taxpayer account when he rang up the Canada Revenue Agency on Wednesday morning.

Instead, the 31-year-old Toronto man discovered that his identity had been hijacked, with a CRA agent informing him that his banking information changed, and two fraudulent applications had been made under his name for the Canada Emergency Response Benefit.

“It was quite a stressful morning, because I’m thinking what about my credit cards, what about everything?” Mr. Chezepock said.

Story continues below advertisement

He is one of nearly 800,000 Canadians who have had their accounts locked by the CRA over security concerns in recent months. And he is also part of an unhappy and growing subset: the more than 10,000 taxpayers whose accounts have been illicitly accessed by hackers, using stolen log-in credentials to try to obtain CERB benefits.

It’s not yet clear how successful those fraudulent efforts were in obtaining CERB benefits, worth $2,000 a month for a maximum payout of $14,000. In a statement, the CRA did not directly respond to a question about how many fraudulent CERB payments had been obtained. But the agency did note in a statement that taxpayers who fall prey to these identity theft attacks will not be responsible for any unauthorized claims, and that it is strengthening security protocols for user log-ins.

Mr. Chezepock said the CRA agent he spoke to wasn’t sure whether the two claims submitted under his name resulted in any payments being made – or whether a tax slip is headed his way that would require him to pay income tax on any benefits. CRA agents told him repeatedly not to worry, and that he could disregard any tax slip; he’s finding it hard to take the advice not to fret.

Part of his frustration comes from the CRA’s lack of clarity, and part comes from the subdued wording in a warning letter the agency sent to affected Canadians. The letter does not mention the phrase “identity theft.” Instead, it states that “user IDs and passwords may have been acquired and used by external actors to gain access to the personal information included in your CRA My Account.” The letter later notes that recipients should check their accounts for “any suspicious activity, such as changes to your direct deposit and address information.”

That wasn’t enough to set off alarm bells for Mr. Chezepock when he received an initial letter from the CRA in the fall. Earlier this month, he called to obtain a second letter, with a verification code allowing him to unlock his accounts.

Now, Mr. Chezepock is belatedly scrambling to inform his financial institutions and others about the possible vulnerability of his online credentials. He would have acted much more quickly if the CRA had issued a stronger warning, he said. “I would have hoped they would have been far more up front.”

Cybersecurity expert David Shipley said the push to pay out tens of billions in pandemic support benefits by electronic deposit has made agencies such as the CRA an obvious target for hacker attacks. “They’ve become banks as well as a tax agency,” said Mr. Shipley, chief executive officer and co-founder of Fredericton-based Beauceron Security Inc. (The company supplies cybersecurity services to Canadian government entities, but not to the CRA.)

Story continues below advertisement

But government agencies devote far fewer resources to cybersecurity than do private financial institutions, he said.

According to the federal government’s Canadian Anti-Fraud Centre, complaints of identity fraud nearly doubled in 2020 over 2019, rising to 17,032 reported cases from 8,641. CERB-specific complaints accounted for more than four-fifths of the increase.

Jeff Thomson, senior RCMP intelligence analyst at the centre, said the surge in CERB-related identity theft complaints has continued into 2021, with total cases logged since March hitting 10,237, including preliminary data for February.

There has been a pattern of persistent cyberattacks on the federal government that has stretched over months, including a fresh warning from the Treasury Board of Canada Secretariat last Friday.

The first news of cyber incursions came in August, when the Treasury Board Secretariat said thousands of accounts that individuals used to access services (including CRA accounts) had been compromised through credential-stuffing attacks, which attempt to use passwords and user names harvested by hackers elsewhere to illicitly log on.

In February, the CRA locked the accounts of 187,000 individuals after an analysis indicated that unauthorized third parties might have obtained user names and passwords.

Story continues below advertisement

The agency stressed that the security of its own site had not been breached but that it locked the accounts as a precautionary measure after its online monitoring indicated that unauthorized third parties had obtained log-in credentials from other websites that could match up with those taxpayers using the CRA’s portal.

On March 12, the CRA warned that it was locking an additional 612,000 accounts over the same concerns and noted that such preventative measures might become more frequent.

And on Friday, the Treasury Board disclosed a separate threat involving an attack on a private-sector company that does business with the federal government. The CRA was not among the affected government departments, according to an e-mail from the Treasury Board.

Mr. Shipley said more attacks should be expected, in Canada and elsewhere. “There is obviously a well-organized criminal group, or a series of criminal groups, now targeting governments.”

Your time is valuable. Have the Top Business Headlines newsletter conveniently delivered to your inbox in the morning or evening. Sign up today.

Your Globe

Build your personal news feed

  1. Follow topics and authors relevant to your reading interests.
  2. Check your Following feed daily, and never miss an article. Access your Following feed from your account menu at the top right corner of every page.

Follow the author of this article:

Follow topics related to this article:

View more suggestions in Following Read more about following topics and authors
Report an error Editorial code of conduct
Due to technical reasons, we have temporarily removed commenting from our articles. We hope to have this fixed soon. Thank you for your patience. If you are looking to give feedback on our new site, please send it along to feedback@globeandmail.com. If you want to write a letter to the editor, please forward to letters@globeandmail.com.

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff.

We aim to create a safe and valuable space for discussion and debate. That means:

  • Treat others as you wish to be treated
  • Criticize ideas, not people
  • Stay on topic
  • Avoid the use of toxic and offensive language
  • Flag bad behaviour

If you do not see your comment posted immediately, it is being reviewed by the moderation team and may appear shortly, generally within an hour.

We aim to have all comments reviewed in a timely manner.

Comments that violate our community guidelines will not be posted.

UPDATED: Read our community guidelines here

Discussion loading ...

To view this site properly, enable cookies in your browser. Read our privacy policy to learn more.
How to enable cookies